When to say “No” to your CEO: The rise of social engineering fraud protection

By Matthew Brown from November 01, 2017

About a month after Christopher Sinclair took over as CEO of Mattel in 2015, he had a conversation with one of the toy company’s top finance executives. She reported proudly to her new boss that she had just completed the $3 million wire transfer to the new supplier in China he had requested earlier that day. A surprised Sinclair said he had requested no such transfer.

Mattel, as it turned out, had just become another victim of the fake CEO scam. Hackers had broken into the company’s email system, carefully observed how executives communicate about international payments, and then sent a forged message from the CEO’s account to the official in charge of bank transfers.

The fake CEO scam is just one type of attack known broadly as social engineering. Here’s how it works: Thieves pretending to be a company’s executive or vendor direct an employee in the targeted finance department to move money or securities into an outside account controlled by the thieves. Last year there was a 47% increase in the number of cases reported to the FBI of what it refers to as business email compromise attacks, a classification that includes most but not all of the social engineering scams. Reported losses totaled $360 million.

Many of the companies victimized by these attacks were in for a second surprise: their losses were not covered by insurance policies, even if they had a traditional crime bond and newer cyber liability policies.

Until recently, this sort of theft fell in a gap between two types of coverage.

Here’s why: A crime bond, also known as a fidelity bond when purchased by a financial institution, responds to direct losses from theft of company money or securities by unauthorized employees and third parties. In a social engineering scheme, the fraudster (purporting to be an employee) provides just enough information to sound legitimate and indicates that the transaction is highly confidential and does not require the usual control procedures. The receiving employee wants to be helpful and act efficiently to his colleague’s request. But by not following through with proper authorization, he unintentionally becomes ensnared in the theft of his company’s funds. The insurer’s position, generally, is that by not verifying the request according to protocol, the employee is willingly—albeit unwittingly—giving the funds away.

A cyber liability policy, meanwhile, covers a much broader range of expenses that stem from an attack on a company’s computer or network, including costs related to computer forensics, public relations, and legal representation. This definition also often excludes the direct loss of funds associated with social engineering theft, because these crimes often don’t involve any network intrusion. The criminals just send an open email to the target employee or sometimes they even call on the telephone.

Over the past few years, insurance companies have debated the right approach to covering social engineering fraud. Fidelity bond underwriters had been hesitant to cover such schemes believing that an employee’s failure to positively confirm the identity of a requestor by following pre-arranged procedures would fall within the realm of “the cost of doing business.” They didn’t want to be on the hook for an employee’s failure to take proper precautions prior to transferring funds.

Unfortunately, most insurance companies were only willing to offer coverage at a sub-limit of excess liability. With persistent requests over the past year, however, we are finding that an increasing number of insurers are growing more comfortable with the risk of social engineering fraud. As we negotiate renewals of fidelity policies, we have successfully been able to convince insurers to incrementally raise the sub-limits for the social engineering endorsements.

Organizations concerned about the rapid rise of social engineering fraud have two action items: First, double-check your wire transfer controls and procedures, including dual authorization and callbacks requirements, and implement enhanced employee awareness training to make this sort of attack more difficult. Second, when it’s time to renew a fidelity bond, your broker should press underwriters for the highest limit possible for social engineering coverage. As organizations are becoming more aware of social engineering risk and are taking a more proactive approach in negotiations, insurance companies are also becoming increasingly responsive.